Hello,
Still trying to find a way to manage false positives in a search, I am leaning more and more towards an external file which could be looked up as part of a search to modify (filter) the search results.
Do you know of examples where, within a splunk search string there is a call to a script to which two parameters are passed and this script returns a value (boolean or other) which then influences the results? Something like (I know that the syntax is incorrect, I just want to give an idea of what I want to achieve):
... | eval IsFalsePositive = script CheckFalsePositives(host,vulnID) | search IsFalsePositive=0
The script documentation mentions that one can run a script which outputs some data. How this could be adapted to my case (what I provided is just my idea of how to handle this kind of search filtering - there may be better ways than to assign a variable which is then checked for its value)?. I also saw the article about handling inputs which could be adequate but the example (iplocate) is far from obvious.
Maybe it would be possible to direcly implement this in a splunk search (without a script)? Ideally the file would have the following content
machine_name,vulnerability
host1,vuln1
host5,*
*,vuln32
...
which would cover all reasonable cases (line 1: ignore vuln1 for host1, line 2: ignore all vulnerabilities for host 5, line 3: ignore all hosts for vulnerability vuln32).
Thank you!
I thing the pieces you need are:
I thing the pieces you need are:
If you don't need to (re-)generate the table based upon search results, then just go with inputlookup.
This is an interesting idea (I am still trying to understand the details in the pages you linked to) but the false positives will not be generated through a search but manually in a table similar to the one in my question. This is why I was more looking at a scripted search which should also be more flexible (the fact something is a false positive or not could also depend, potentially, on external data like the location for instance)